CN2492979Y - Network isolator unit with identity confirmation - Google Patents
Network isolator unit with identity confirmation Download PDFInfo
- Publication number
- CN2492979Y CN2492979Y CN 01246775 CN01246775U CN2492979Y CN 2492979 Y CN2492979 Y CN 2492979Y CN 01246775 CN01246775 CN 01246775 CN 01246775 U CN01246775 U CN 01246775U CN 2492979 Y CN2492979 Y CN 2492979Y
- Authority
- CN
- China
- Prior art keywords
- network
- computer
- user
- information
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The utility model provides a network isolation device with identity authentication, which includes a network selector and a hardware identity authentication deivice, wherein, the network selector is installed between the network interface of a client and any interface of the client and can physically isolate the hard disks of external networks connected with a computer from the confidential infrormation stored on the computer, and the hardware identity authentication deivice is installed in a computer network system and can be connected with the network selector. Because the utility model applies the network isolation device and the hardware identity authentication deivice, the network interface of the client is physically isolated from any interface of the client by the network selector. The hardware identity authentication deivice makes keyboard-entered user information, a password and other important information to be stored in the hardware password key of a user and transmitted by the method of encryption to a check computation device for decryption and verification, thus ensuring that a user with the legitimate identity can enter into the computer network, and therefore the security of the network is greatly increased.
Description
Technical field
The utility model relates to a kind of network interface hardware, specially refers to the Network Isolation interface hardware of band authentication.
Background technology
Development along with the internet; the intrusion people that avoid other network for network how to protect the subscriber computer place had once designed technology such as fire compartment wall; as Chinese patent ZL96109573.3 (invention and created name one firewall system); but these technology have all adopted the mode of software on solution, not from physically subscriber computer place network and other network being disconnected.It is again quite inconvenient adopting the manual mode that plugs netting twine to switch on different networks.For this reason, publication number is that the Chinese patent " network isolation system " of CN 1292533A discloses the i.e. switching between internal-external network of a kind of network selector realization user, thereby reaches physically isolation and the switching that is connected, to guarantee the safety of network.Yet, this network selector lacks identification authentication system, can't the identity of using be authenticated, flourish along with computer network, also more and more high for the security requirement of system resource and system's operation, this is because normal employing of disabled user stolen password, revising and forge the mode of validated user attacks system, make the resource and the operation of system can not get safety, wherein, user's identity is confirmed to be an important step of assurance system safety.If only adopt existing indentity identifying method promptly to adopt user password (password) to carry out authentication,, thereby make the safety of the operation of computer network system can not get good guarantee owing to easy decrypted being stolen of password (password).
Summary of the invention
The purpose of this utility model provide a kind of can guarantee computer network safer network isolating device.
To achieve these goals, the network isolating device that has identification authentication system that the utility model provides comprises:
One network selector, it is installed between subscriber computer network interface and the arbitrary interface of subscriber computer, the hard disk of the connection external network of computer and computer can be deposited secret information physically separates, simultaneous computer links to each other with plurality of network by described network selector, guarantees that interior at any time every computer only links to each other with a network physically; And
One is installed in the hardware accreditation device that can link to each other with above-mentioned network selector in the computer network system, and it comprises:
One available public-key cryptography to the private cipher key that it comprises encrypt, and available private cipher key hardware key that the private information of oneself is encrypted;
One links to each other with above-mentioned hardware key and receives the interface arrangement of the private information of the private cipher key of encryption of hardware key output and encryption;
The private cipher key of the encryption of one receiving interface device output and the private information of encryption also use the public-key cryptography of oneself to be decrypted the private cipher key that obtains the user, and with the private cipher key of this deciphering the private information of user's encryption is decrypted and judges user's legal identity and to utilize the authority that adopts system resource, and the checking computations device that the decryption information that is obtained is passed to control device and device systems is controlled.
Because the network isolating device of band authentication of the present utility model has adopted network isolating device and hardware accreditation device, has guaranteed physically to be separated by network selector between the arbitrary interface of subscriber computer network interface and subscriber computer.And the hardware accreditation device makes and to need hardware encryption that user profile, password and other important informations of keyboard input be stored in the user together on the key, and by cipher mode transmission checking computations device, be decrypted by the checking computations device, and confirm, thereby the user who guarantees legal identity enters computer network, and the fail safe of network is improved greatly.
Description of drawings
Fig. 1 is the work schematic diagram of network isolating device in system of the band authentication of an embodiment of the present utility model.
Fig. 2 is the workflow diagram of the described network selector of Fig. 1.
Fig. 3 is the fundamental diagram of the described identification authentication system of Fig. 1.
Fig. 4 is the structure principle chart of 3 described hardware keys.
Embodiment
Engaging accompanying drawing below is described in detail the utility model.
As shown in Figure 1, the present invention is only to dispose two-server, two hubs (HUB) and N platform computer and N the system design scheme that network selector 2 is formed for example.This system design scheme is one or several intermediate layers between the Internet (Internet) and the in-house network (Intranet), external server 1 control online by described two-server, link to each other with the Internet (Internet) through a hub (HUB), an internal server 5, link to each other with the Internet (Internet) through another hub (HUB), deposit the vital document on described each computer 3, described each computer 3 links to each other with plurality of network by described network selector, every computer 3 only linked to each other with a network physically in it can guarantee at any time, guaranteed the safety of the network system of in-house network (Intranet).Simultaneously,, leave the important information on described some the computers concentratedly, on described some computers, do not deposit vital document, also can generation information not have things stolen when linking to each other with the Internet (Internet) by disposing described internal server 5.Network selector links to each other with two-server, and this network selector can guarantee that at any time every computer 3 only links to each other with a network physically, guarantees the safety of internal network system.
A described N network selector is mounted on subscriber computer network interface and the arbitrary interface of subscriber computer: serial ports, parallel port, USB or PC go up on the various available expansion slot, it is a kind ofly to realize that the unique network in subscriber computer and two the above networks realizes the physical equipment that physics links to each other and switches, and the switching command that it accepts the Control Software transmission of network selector on the subscriber computer by various available expansion slot on serial ports, parallel port, USB or the PC at interior arbitrary PC interface is realized the physical connection of subscriber computer and specified network.
Described N network selector Control Software is to operate in user on the subscriber computer to carry out mutual and go up the computer program that various available expansion slot communicate with network selector by serial ports, parallel port, USB or PC.It can realize guaranteeing every computer 3 function that links to each other with a network physically.
A described N network selector is by operating in the Control Software of the described network selector on the subscriber computer, receive user's network switching command, switching command is passed through the arbitrary interface of subscriber computer with certain form: serial ports, parallel port, USB or PC go up various available expansion slot, send to described network selector, by it switching command is made an explanation, and the physical connection of realization and corresponding network.
As shown in Figure 2,2 Control Software of the network selector on subscriber computer receive the user and switch to network X
nInstruction after, this software promptly sends to PC interfaces such as serial ports, parallel port, USB interface or bus interface and switches to network X
nInstruction switches to network X when network selector receives
nInstruction after, promptly cut off the physical connection of subscriber computer, and the physical connection of switching described user is to network X to the network that networks
nThereby, finish the switching of network.
As shown in Figure 3, the network isolating device of the band authentication that provides of the utility model comprises identification authentication system and network selector.Identification authentication system comprises hardware key 9, interface arrangement 10, checking computations device 12 and control device 15.In the present embodiment, network selector 2 is made of one with checking computations device 12, and certainly, they can separate.Wherein, checking computations device 12 and control device 15 are installed in the device systems 16.Hardware key 9 links to each other with the checking computations device 12 of device systems 16 by interface arrangement 10, and can be to device systems 16 transmission information.Checking computations device 12 links to each other with control device 15, and can carry out information exchange.
In said system, the hardware key 9 of user's hardware system has the private cipher key of oneself and the public-key cryptography of available checking computations device is encrypted the private cipher key of oneself, be sent to checking computations device 12 then, and, the secret information (private information) that will transmit is encrypted with the private cipher key of oneself, then the file after encrypting is sent to checking computations device 12.Obtain the private cipher key of user's hardware system and secret information (private information) is decrypted the true identity of judging the user after the public-key cryptography of checking computations device 12 usefulness oneself is decrypted private cipher key, thereby determine whether to allow to use the corpse login system with this private cipher key.In the present invention, the user is held the secret information of carrying to encrypt by " rivest, shamir, adelman ", and use specific transfer approach to check user's legal identity or checking holder's identity and log-on message.
Referring to Fig. 4, hardware key 9 comprises that interface circuit 18, microprocessor 19 and electricity can wipe access memory (EEPRAM) 20.Interface circuit 18 links to each other with system and gets in touch with this system communication.Microprocessor 19 links to each other with interface circuit and electricity can be able to be wiped the information that access memory (EEPRAM) 20 stores and encrypt, and sends in the interface circuit 18.Electricity can be wiped access memory (EEPRAM) 20 and user's private information and private cipher key that interface circuit 18 transmits can be stored.
The course of work of Verification System provided by the invention is as follows:
System sends instruction to checking computations device 12 when powering on start, require 12 pairs of login users of checking computations device to carry out identity validation.Checking computations device 12 sends instruction by interface arrangement 10 to hardware key 9 after receiving instruction.Hardware key 9 is adorned 123 public-key cryptography with oneself a private cipher key with checking computations the key of oneself is encrypted, be sent to checking computations device 12 then, simultaneously private informations (secret information) such as the user's that will transmit identity, password are encrypted with own private cipher key, the information after encrypting is sent to checks device 12 then.Checking computations device 12 public-key cryptography with oneself after receiving above-mentioned series information is decrypted, and obtains the private cipher key of user's hardware system.Like this, checking computations device 12 can be decrypted the legal identity of judging the user and the authority of utilizing system resource to private information with this private cipher key, and getting real information is passed to control device 15.Control device 15 carries out respective handling according to the instruction of checking computations device 12 to device systems.After system powers on, checking computations device 12 generals periodically send the checking instruction to the hardware system of system, if 12 couples of users' of checking computations device key information checking computations are also differentiated the back and are confirmed that the user is legal, then allow the online using system resource of this user, if authentication failed or user's off-line, checking computations device 12 will notify control system to close whole system 16.
In addition, can comprise a tape deck in the described checking computations device 12, it can be connected on the device systems the user the using system resource carry out record for information about so that checking computations device 12 constantly compares affirmation.This tape deck also can be placed in the computer system.
Verification System provided by the invention can be installed in the checking computations device on all kinds of computers, the system that certain private information (secret information) of carrying of holding by the user (user's intelligence hardware system) verifies, login with legal identity, comprise: security system, network communication system, information interaction system, card-reading system, terminal equipment and definite serial line interface, the authentication of all kinds of communication interface equipment such as PCI IDEISA of parallel interface, USB PC.
The present invention is owing to adopt above-mentioned structure, has the compatible fully function of safety identification authentication system, but use the hardware encryption key, utilize its characteristic will need user's letter of keyboard input, password and other important informations are stored in hardware encryption that the user carries on the key together, be delivered on the Verification System by the mode of encrypting, visual user logined authentication be converted into sightlessly, this just begins information security is controlled from hardware layer.
In addition,, can find that native system has the function of following some authentication by detailed description to identity authorization system of the present invention:
Credible: as to guarantee that the login identity is believable.Be that the information that the registrant sends is sent out by the jactitator.
Integrality: require the registrant its hardware identity must be connected in the system in the whole process of using system resource.Be that the registrant in use is not replaced non repudiation because user's hardware identity is connected in the system, the registrant is noted down by system for information about the using system resource, and the user can't deny.
Control visit property: refusal disabled user access system resources, validated user can only the access system mandates and the resource of appointment.
Claims (4)
1, a kind of network isolating device with authentication is characterized in that comprising:
One network selector, it is installed between subscriber computer network interface and the arbitrary interface of subscriber computer, the hard disk of the connection external network of computer and computer can be deposited secret information physically separates, simultaneous computer links to each other with plurality of network by described network selector, guarantees that interior at any time every computer only links to each other with a network physically; And
One is installed in the hardware accreditation device that can link to each other with above-mentioned network selector in the computer network system, and it comprises:
One available public-key cryptography to the private cipher key that it comprises encrypt, and available private cipher key hardware key that the private information of oneself is encrypted;
One links to each other with above-mentioned hardware key and receives the interface arrangement of the private information of the private cipher key of encryption of hardware key output and encryption;
The private cipher key of the encryption of one receiving interface device output and the private information of encryption also use the public-key cryptography of oneself to be decrypted the private cipher key that obtains the user, and with the private cipher key of this deciphering the private information of user's encryption is decrypted and judges user's legal identity and to utilize the authority that adopts system resource, and the checking computations device that the decryption information that is obtained is passed to control device and device systems is controlled.
2, the network isolating device of band authentication as claimed in claim 1, it is characterized in that: comprise a tape deck in the described checking computations device, it can will be connected user on the device systems at the record for information about of using system resource, so that the checking computations device constantly compares the tape deck of affirmation.
3, the network isolating device of band authentication as claimed in claim 1 is characterized in that described hardware key comprises:
One electricity that user profile and private cipher key can be stored can be wiped access memory (EEPRAM);
One close with computer system and with the interface circuit of this system communication contact;
One can wipe the microprocessor that access memory links to each other with the interface circuit electricity, and this microprocessor can be wiped the information that stores in the random access memory to electricity and encrypt, and sends in the interface circuit.
4, the network isolating device of band authentication as claimed in claim 1 is characterized in that described network selector and checking computations device are made of one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01246775 CN2492979Y (en) | 2001-07-27 | 2001-07-27 | Network isolator unit with identity confirmation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 01246775 CN2492979Y (en) | 2001-07-27 | 2001-07-27 | Network isolator unit with identity confirmation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN2492979Y true CN2492979Y (en) | 2002-05-22 |
Family
ID=33657733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 01246775 Expired - Fee Related CN2492979Y (en) | 2001-07-27 | 2001-07-27 | Network isolator unit with identity confirmation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN2492979Y (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1321513C (en) * | 2003-04-16 | 2007-06-13 | 三星电子株式会社 | Device and method for connecting separate networks |
| CN100440238C (en) * | 2005-08-04 | 2008-12-03 | 株式会社知识潮 | Computer controlling method and system by externally connected device |
| CN1925401B (en) * | 2006-10-12 | 2011-06-15 | 中国联合网络通信有限公司北京市分公司 | Internet access system and method |
| CN101667140B (en) * | 2008-09-03 | 2013-02-13 | 联想(北京)有限公司 | Method, device and system for controlling switching of operating systems |
| CN101640595B (en) * | 2008-07-28 | 2015-03-25 | 联想(北京)有限公司 | Method, device and system for controlling switching of isolation card |
-
2001
- 2001-07-27 CN CN 01246775 patent/CN2492979Y/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1321513C (en) * | 2003-04-16 | 2007-06-13 | 三星电子株式会社 | Device and method for connecting separate networks |
| CN100440238C (en) * | 2005-08-04 | 2008-12-03 | 株式会社知识潮 | Computer controlling method and system by externally connected device |
| CN1925401B (en) * | 2006-10-12 | 2011-06-15 | 中国联合网络通信有限公司北京市分公司 | Internet access system and method |
| CN101640595B (en) * | 2008-07-28 | 2015-03-25 | 联想(北京)有限公司 | Method, device and system for controlling switching of isolation card |
| CN101667140B (en) * | 2008-09-03 | 2013-02-13 | 联想(北京)有限公司 | Method, device and system for controlling switching of operating systems |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8971537B2 (en) | Access control protocol for embedded devices | |
| US5491752A (en) | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens | |
| US7231526B2 (en) | System and method for validating a network session | |
| EP2021938B1 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| US5483596A (en) | Apparatus and method for controlling access to and interconnection of computer system resources | |
| US6981156B1 (en) | Method, server system and device for making safe a communication network | |
| CN111770088A (en) | Data authentication method, device, electronic equipment and computer readable storage medium | |
| CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
| CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
| CN1635738A (en) | General authentication authorization service system and method | |
| EP2926527B1 (en) | Virtual smartcard authentication | |
| CN106027467A (en) | Identity card reading response system | |
| CN2492979Y (en) | Network isolator unit with identity confirmation | |
| CN1180566C (en) | Method of realizing safe and reliable interconnection between network equipments | |
| Xia et al. | Design of secure FTP system | |
| CN116684875A (en) | Communication security authentication method for electric power 5G network slice | |
| CN201717885U (en) | Code providing equipment and code identification system | |
| CN106027477A (en) | Identity card reading response method | |
| Zou et al. | Information Security Transmission Technology in Internet of Things Control System. | |
| CN105991649B (en) | A kind of scheduling system of reading identity card | |
| CN105991648B (en) | A kind of dispatching method of reading identity card | |
| CN2492980Y (en) | Hardware cipher key idnetity confirmation unit | |
| CN111641646A (en) | Safety enhancement type communication positioning terminal | |
| CN1400766A (en) | Hardware accreditation system | |
| CN114785566B (en) | Data processing method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |